DHS Daily Open Source Infrastructure Report: Sep 28, 2010

Tuesday, September 28, 2010

Complete DHS Daily Report for September 28, 2010

Daily Report

Top Stories

 The Pentagon is refusing to comment on widespread accusations it is responsible for coordinating a cyber-attack with the “Stuxnet Worm” against Iran’s nuclear facilities, assaults Iran only recently confirmed. (See items 42 and 50)

42. September 27, FOXNews.com – (International) Pentagon silent on Iranian nuke virus. The Pentagon is refusing to comment on widespread accusations it is responsible for coordinating a cyber-attack against Iran’s nuclear facilities. Earlier this month, the Iranians acknowledged the “Stuxnet Worm” had invaded software it uses at multiple nuclear production plants. A Pentagon spokesman said September 27, the Department of Defense (DOD) can “neither confirm nor deny” reports it launched this attack. The Stuxnet worms enters networks through USB portals and is designed specifically to attack software made by Siemens, the German owned industrial corporation. Last year, the Pentagon was attacked by a virus that temporarily shut down e-mail services. That worm also entered the system through commonly used flash drives, or portable hard drives, that plug into USB ports. Since that attack, the Pentagon has banned the use of flash drives throughout the DOD, and that ban remains in place today. DHS said last week it is taking precautions to defend the U.S. against the Stuxnet worm. Source: http://liveshots.blogs.foxnews.com/2010/09/27/pentagon-silent-on-iranian-nuke-virus/

50. September 25, ComputerWorld – (International) Iran confirms massive Stuxnet infection of industrial systems. Officials in Iran confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services reported September 25. Experts from Iran’s Atomic Energy Organization also reportedly met recently to discuss how to remove the malware. Stuxnet, considered by many security researchers to be the most sophisticated malware ever, was first spotted in mid-June by VirusBlokAda, a little-known security firm based in Belarus. A month later Microsoft acknowledged that the worm targeted Windows PCs that managed large-scale industrial-control systems in manufacturing and utility companies. Those control systems, called SCADA, for “supervisory control and data acquisition,” operate everything from power plants and factory machinery to oil pipelines and military installations. According to researchers with U.S.-based antivirus vendor Symantec, Iran was hardest hit by Stuxnet. Nearly 60 percent of all infected PCs in the earliest-known infection were located in that country. Since then, experts have amassed evidence that Stuxnet has been attacking SCADA systems since at least January 2010. Meanwhile, others have speculated that Stuxnet was created by a state-sponsored team of programmers, and designed to cripple Iran’s Bushehr nuclear reactor. Source: http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industrial_systems

 As many as 100 homes could be affected by flood waters in Wisconsin due to the failure of a 120-year-old sand levee along the Wisconsin River. (See item 68)

68. September 27, CNN – (Wisconsin) Levee along Wisconsin River fails; extent of possible flooding unkown. As many as 100 homes could be affected by flood waters in Wisconsin due to the failure of a 120-year-old sand levee along the Wisconsin River. The levee, near the city of Portage in Columbia County, began to give way the night of September 26, according to the National Weather Service’s Milwaukee/Sullivan office. A representative of the Columbia County Emergency Operations Center, confirmed to CNN the morning of September 27 that the levee had in fact failed. “Once the levee completely fails ... it is unknown how far south the flood waters of the Wisconsin River will travel,” the weather agency said Sunday night. The levee is located on the south side of the Wisconsin River, just south of Portage. The weather agency urged residents to move to higher ground. Roadways, including parts of Interstate 39, could close. Authorities in Portage worked September 26 to evacuate residents as the levee approached imminent failure after heavy rainfall soaked the Midwest last week. An alert sent out by Columbia County Emergency Management September 26 urged residents near Blackhawk Park to evacuate immediately ahead of the flooding, which is expected to wash out a main road leading to about 150 residences. “Emergency vehicles including police, fire and EMS will not be able to reach residents,” the statement said. The deputy director of the county’s emergency management department, said September 26 it was unclear how many residents remained in the area. A Red Cross shelter was opened at a nearby church to accommodate displaced residents. The river at Portage is expected to stay above flood stage — 17 feet — through September 29. Portage will not be considered to be out of danger until the river has dropped below flood levels. The levee system, built in the 1890s, was constructed from locally available materials — mostly sand — “without any engineering design or adherence to any standards,” the Natural Resources department said in a statement last week. Source: http://www.cnn.com/2010/US/09/27/wisconsin.flooding/index.html?hpt=T1

Details

Banking and Finance Sector

15. September 27, The Register – (International) ZeuS attacks mobiles in bank SMS bypass scam. Security researchers have warned that cybercrooks might be able to compromise online bank accounts even in cases where banks use SMS messages to authorize transactions. The approach relies on first compromising a targeted user’s computer using a variant of the ZeuS banking Trojan before infecting the same user’s smartphone. Thereafter it would be possible to initiate a transaction and authorize it following the receipt of a SMS message to a second compromised device. The so-called ZeuS Mitmo (man-in-the-mobile) attack is explained in a blog post by a researcher of S21sec e-crime. It relies on tricking a user into getting infected by Zeus on the desktop, perhaps via a targeted e-mail that points to a booby-trapped Web site or contains an infected attachment. Thereafter, a user’s log-in credentials are captured the next time she logs into an online banking site. The malware then generates a fake dialog box that attempts to trick the victim into disclosing the number and manufacturer of her mobile phone. The phone would then be sent a fake security certificate, which is actually a malicious banking Trojan tailored to the target’s smartphone (Symbian or BlackBerry). The malicious application then monitors all incoming SMS as well as installing a backdoor to receive commands via SMS, from a designated command and control number, which can be altered. The approach is plausible if a little convoluted, but the added complexity may be worth it in targeted attacks, perhaps against organizations or wealthy individuals whose banks use SMS notification for two factor authentication of transactions. Source: http://www.theregister.co.uk/2010/09/27/zeus_mobile_malware/

16. September 27, Beaufort County Island Packet – (South Carolina) Ex-loan officer to plead guilty in fraud scheme. A former mortgage loan officer at Carolina First Bank on Hilton Head Island in South Carolina is scheduled to plead guilty September 27 to one count of conspiracy to commit bank fraud in connection with a scheme that cost banks as much as $7 million, according to a U.S. attorney. Prosecutors said the former mortgage loan officer used inflated appraisals to fraudulently arrange residential mortgages for “straw purchasers,” and then used the difference between the inflated mortgage proceeds and the actual value of the property to pay the straw purchasers, himself and others, according to court documents. Most of the properties involved are in Beaufort County. The loan officer said he is sorry and wants to take responsibility for his actions. Court documents state the alleged conspiracy cost Carolina First and other financial institutions $2.5 million to $7 million. The loan officer received more than $495,000 in kickbacks for the sale of eight homes, according to the documents. Upon conviction, he would have to forfeit any property he obtained as a result of the alleged conspiracy. The defendant faces a maximum of 30 years in prison, 5 years of supervised release, and a $1 million fine. Source: http://www.islandpacket.com/2010/09/27/1386085/ex-loan-officer-to-plead-guilty.html

17. September 26, China Post – (New York) Norwegian central bank sues Citigroup for fraud. Norway’s central bank has sued New York-based Citigroup for allegedly providing false financial statements that led to losses of about $835 million, a Citi official said September 24. Norges Bank complained Citigroup repeatedly issued “untrue statements and non-disclosure of material information to investors,” which led the bank to purchase Citi securities at inflated prices between 2007 and 2009. “Norges Bank lost in excess of $735 million on its investments in Citigroup common shares, and in excess of $100 million on its investments in bonds and preferred shares,” according to the lawsuit, filed in a Manhattan federal court earlier this month. “When the market slowly learned the truth of Citi’s financial condition, Citi came close to insolvency, and plaintiff lost a substantial amount of its investment,” it said. A Citigroup official said: “We believe the suit has no merit and we will defend ourselves vigorously.” Other than setting monetary policy in Norway, Norges Bank oversees one of the largest sovereign wealth funds in the world, the Government Pension Fund-Global, which holds hundreds of billion of dollars in assets. Citigroup, once the world’s largest bank, also faces a lawsuit filed in August 2009 by seven Norwegian towns, and an investment house that had lost millions in debt obligations sold by Citigroup. Source: http://www.chinapost.com.tw/business/company-focus/2010/09/26/273962/Norwegian-central.htm

18. September 25, Bank Info Security – (National) Two banks closed on Sept. 24. Federal and state banking regulators closed two banks September 24. These failures raise the total number of failed institutions to 144 so far in 2010. Haven Trust Bank Florida, Ponte Vedra Beach, Florida, was closed by the Florida Office of Financial Regulation, and the Federal Deposit Insurance Corporation (FDIC) was appointed receiver. First Southern Bank, Boca Raton, Florida, will assume all Haven Trust deposits. The two branches of Haven Trust will reopen as branches of First Southern. Haven Trust had $148.6 million in assets. The estimated cost to the Deposit Insurance Fund (DIF) will be $31.9 million. North County Bank, Arlington, Washinton, was closed by the Washington Department of Financial Institutions. The FDIC was appointed receiver. Whidbey Island Bank, Coupeville, Washington, will assume all of the deposits of North County Bank. The FDIC estimates that the cost to the DIF will be $72.8 million. Source: http://www.bankinfosecurity.com/articles.php?art_id=2948

19. September 24, The New New Internet – (California) Hackers steal hundreds of credit-card numbers from restaurant patrons. Visits to several California-based restaurants turned out much more expensive than customers ever imagined. Police in Roseville, California, the week of September 13 revealed that nearly 200 customers had their credit-card numbers stolen after patronizing the eateries. While the police did not reveal which restaurants were affected due to the ongoing investigation, they said the restaurants themselves are not responsible. “We believe the breach is not actually at the restaurant but a third-party vendor that’s in the process between using your credit card at the restaurant and actually billing the bank,” a police captain told 3KCRA. Because of the complexity of the scheme, Roseville police have asked the Secret Service for help catching the criminals. In Davis, police are dealing with similar issues. They have seen a 50 percent increase in identity thefts. While police will not say where the cards are being copied, they revealed that crooks use them at Target stores in the Bay Area and as far away as Irvine. Source: http://www.thenewnewinternet.com/2010/09/24/hackers-steal-hundreds-of-credit-card-numbers-from-restaurant-patrons/

20. September 24, Associated Press – (Illinois) 2 charged in alleged investment fraud scheme. Federal prosecutors in Chicago, Illinois said they have indicted a California woman and a man who once lived in the Chicago suburb of Northfield on wire fraud charges in an investment scheme that allegedly swindled some 70 investors out of more than $30 million. A U.S. attorney announced September 24 that the charges were filed 1 day earlier against a 60-year-old woman of Canyon Country, California, and 45-year-old former Northfield man, who is now believed to be living in Texas. The U.S attorney said the suspects were the top officers of Unified World Transport LLC, a voice-over-Internet communications company based in Santa Monica, California, and allegedly misappropriated more than $12 million in investors’ funds for their own use. Source: http://www.mercurynews.com/breaking-news/ci_16167462?nclick_check=1

Information Technology

48. September 27, The Register – (International) Anti-piracy lawyers’ email database leaked after hack. Hackers have uploaded a leaked database of e-mails from anti-piracy law firm ACS:Law onto P2P networks and Web sites. ACS:Law was among a handful of entertainment industry-affiliated organizations to endure denial of service attacks by the denizens of 4Chan last week. A loose-knit collective of members of the notorious message board also hit the Motion Picture Association of America (MPAA), Recording Industry Association of America (RIAA), and the British Phonographic Industry (BPI) using online attack tools, taking the MPAA and RIAA offline in the process. Other targets of Operation: Payback is a [expletive] included solicitors ACS:Law and Davenport Lyons. During attempts to re-establish ACS:Law’s Web site, a compressed copy of what seems to be part of the firm’s e-mail database, contained in site backups, was exposed online. Hackers extracted the Webmail file and made it available via torrent trackers and posted it on some Web sites last weekend. “Their site came back online [after the DDoS attack] – and on their front page was accidentally a backup file of the whole Web site, including emails and passwords,” a leader of the attacking group told TorrentFreak. Information contained in the e-mail database reportedly includes personal details of the targets of the law firm’s threatening letters and business correspondence with ACS:Law’s partners. The data is buried among spam and office admin exchanges in a 350MB file. Slyck reports that the file contains around a month of Webmails belonging to a solicitor who is head of ACS:Law. Source: http://www.theregister.co.uk/2010/09/27/anti_piracy_lawyer_email_leak/

49. September 27, The Register – (International) Zeus botnets’ Achilles’ Heel makes infiltration easy. A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs. The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique. That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said the researcher, who discovered the defect and has written a simple program to exploit it. The researcher’s script allows a user to upload and execute code of his choosing directly on the server running the Zeus C&C. Although the Zeus architects designed their software to block executable scripts from being downloaded, they did so using poorly written PHP code that can easily be defeated. What’s more, a separate directory traversal flaw makes it easy to place the malicious payload directly in the server’s root directory, ensuring the attacker can easily find his malicious script. To run the script, an attacker first must extract the cryptographic key an infected PC uses to communicate with the C&C. Although the designers took pains to keep the RC4 key secret, it can easily be deduced by reading it after it’s loaded into computer memory, or by decrypting the bot’s configuration file. Source: http://www.theregister.co.uk/2010/09/27/zeus_botnet_hijacking/

51. September 24, Help Net Security – (International) Bizarre tale behind conviction for botnet initiated DDoS attack. In a curious twist of fate, a man who refused to continue his collaboration with a group whose goal was to unmask pedophiles because he was concerned that their methods were starting to break laws, has been found guilty of launching a DDoS attack with a botnet he assembled by himself. The target of his attacks were Web sites on which certain photos of him and his e-mail correspondence with a fictitious woman named Holly were published. “Holly” was created by the founder of the group whose members were posing as minors in chatrooms so they could unmask pedophiles, and worked with the NBC television show called “To Catch a Predator.” According to a Sophos blog, the programmer was targeted by the founder of the group, who decided to get revenge by embarrassing him. So, he posed as “Holly” and started an Internet relationship with the programmer. “Holly” asked him to leave his wife and meet her at the airport. The programmer did, and while he waited in vain with flowers in his hand, photos were taken by a hired photographer. The group founder then posted the photos and the e-mails on a Web site, and the story got picked up by Radar Magazine and Rolling Stone. Wanting to remove any trace of it from the Internet, the suspected programmer wrote a computer virus that ensnared some 100,000 computers around the world into a botnet under his command, and started bombarding sites that had published the story with a huge amount of bogus requests that made them crash. Source: http://www.net-security.org/secworld.php?id=9911

52. September 24, TrendLabs Malware Blog – (International) New Azvhan bot family revealed. A new bot family was found in the wild around April 2010 was recently revealed. The family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided. Avzhan bots install themselves onto the Windows system directory using the file name {six random lower-case letters}.exe. After installation, it deletes its original copy then executes the copy it installed. The domains it tries to connect to are registered on a well-known China-based dynamic DNS service. The IP addresses also lead to ISPs in China. As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems. In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following: computer name, CPU speed, language used, memory size, and windows version. Source: http://blog.trendmicro.com/new-azvhan-bot-family-revealed/

Communications Sector

53. September 27, New York Times – (National) U.S. wants to make it easier to wiretap the Internet. Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone. Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages. The bill, which the U.S. President’s administration plans to submit to lawmakers in 2011, raises fresh questions about how to balance security needs with protecting privacy and fostering innovation. And because security services around the world face the same problem, it could set an example that is copied globally. Source: http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=1

54. September 27, Long Island Press and Associated Press – (New York) No explosives found after Cablevision offices evacuated for bomb threat. Police in Nassau County, New York, said no explosive device was found following an evacuation September 26 at a Syosset building that houses Cablevision Systems Corp. offices. A bomb threat led authorities to clear out the building off the Jericho Turnpike at about 6:30 p.m. Police could not immediately say how many people were in the building at the time of the threat. Police are trying to determine who made a threatening call to the company. A Cablevision spokeswoman said the company is cooperating with authorities. Source: http://www.longislandpress.com/2010/09/27/no-explosives-found-after-cabelvision-offices-evacuated-for-bomb-threat/

55. September 24, IDG News Service – (Pennsylvania; National) Comcast hackers get 18 months in prison. Two hackers convicted of defacing Comcast’s Web site 2 years ago were sentenced September 24 to 18 months in prison. The 20- and 28-year-old suspects were part of a telephone hacking group called Kryogeniks that took control of the Comcast.net Web site in May 2008. After taking over an account used to manage Comcast’s Domain Name System information, they redirected visitors to their own Web site for several hours. Comcast.net drew about 5 million visitors per day at the time. During the incident, visitors who went to the site were greeted with the message “KRYOGENICS Defiant and EBK RoXed Comcast. sHouTz to VIRUS Warlock elul21 coll1er seven.” The two men were sentenced September 24 and must also pay almost $90,000 in restitution to Comcast. A third hacker was sentenced last month to 4 months in prison. Source: http://www.computerworld.com/s/article/9187978/Comcast_hackers_get_18_months_in_prison

56. September 24, The Register – (National; International) VoIP hacker sentenced to 10 years. A Venezuelan citizen was sentenced to 10 years in U.S. federal prison September 24 for hacking into the networks of telecommunications companies and then routing millions of minutes of voice over IP calls over their systems. The 27-year-old admitted in February that he pocketed more than $1m in the scam, in which he posed as a legitimate reseller of long-distance calling services. By scanning networks of AT&T and other companies, he was able to identify unprotected ports through which he could transmit more than 10 million minutes of unauthorized calls. The suspect, who spent much of his time in Miami, Florida was described as the mastermind behind the operation. For technical help in identifying vulnerable networks, he turned to a Spokane, Washington hacker. He was previously sentenced to 2 years in prison for his role, which included performing more than 6 million scans on AT&T’s network alone over a 5-month span in 2005. Source: http://www.theregister.co.uk/2010/09/24/voip_hacker_sentenced/

57. September 24, Mobiledia – (Washington) T-Mobile claims right to block texts. T-Mobile September 24 asked a federal court to throw out a lawsuit on censorship, arguing that it has the right to block text messages, which are not subject to the same regulations as voice services. The Bellevue, Washington-based carrier, which is being sued by EZ Texting for blocking its campaign for legal medical marijuana dispensaries, argued that while the Federal Communications Commission (FCC) does not allow carriers to block specific calls under the “common carriers” provision, text messages are exempt from that law. T-Mobile claims text messages, which are considered “information services,” are not under the FCC’s authority and can be blocked to “protect the carriers’ customers, businesses and brands from offensive, abusive, fraudulent or illegal information services.” The carrier added that it withdrew EZ Texting’s short codes because the marketing firm was supposed to get prior approval for all campaigns run over its network, as specified in its agreement. Source: http://www.mobiledia.com/news/74528.html

58. September 24, FierceWireless – (National) FCC approves unlicensed white space use. The Federal Communications Commission (FCC), in a long-awaited move, approved the use of unlicensed white space spectrum, clearing the way for new classes of devices that take advantage of what has been dubbed “super WiFi.” The FCC voted 5-0 to approve the plan, nearly 2 years after the agency first approved the use of white space spectrum — the tiny slivers of spectrum between TV broadcast stations. The 2008 order was delayed by lawsuits from broadcasters, church groups and a famous singer, all of whom argued such use of the spectrum could interfere with TV stations and wireless microphones. With the new vote, the FCC handed a victory to Google, Microsoft, Dell, Motorola and other companies that have been pushing for the spectrum to be unleashed. The FCC chairman said the vote will provide “unique opportunities for innovators and entrepreneurs.” Source: http://www.fiercewireless.com/story/fcc-approves-unlicensed-white-space-use/2010-09-24

59. September 24, Los Angeles Times – (National) Researchers calculate the death toll from texting while driving. According to researchers from the University of North Texas Health Science Center in Ft. Worth, texting behind the wheel accounted for 16,141 deaths between 2002 and 2007. The researchers arrived at that figure by analyzing nationwide traffic data from the Fatality Accident Reporting System and texting records from the Federal Communications Commission and CTIA, the wireless telecom industry group. Crunching the numbers, they calculated that if text messaging had never been invented, there would have been 1,925 traffic fatalities per year due to distracted driving beween 2002 and 2007. But they rose from 4,611 in 2001 to 5,988 in 2007. Some other factoids from the study: The percentage of all traffic deaths caused by distracted driving rose from 11 percent in 1999 to 16 percent in 2008; Only one-third of Americans had a cellphone in 1999. By 2008, 91 percent did; The average monthly volume of text messages was 1 million in 2002. By 2008, it was 110 million. The study was published online September 23 by the American Journal of Public Health. Source: http://www.latimes.com/health/boostershots/la-heb-distracted-driving-20100924,0,3103350.story

60. September 24, Salt Lake Tribune – (Utah; Colorado) Utah Internet users suffer outage. A Qwest Internet outage in Utah and Colorado crippled some businesses for more than 3 hours September 24, including The Salt Lake Tribune and its Web site. A Qwest spokesman said about 80 businesses in Salt Lake City were affected by the outage to “varying degrees.” Some businesses also were affected in parts of Colorado. “It ranged from slowdowns to outages,” he said. The outage occurred about 1 p.m. when a Qwest computer card failed. The Internet connections to the businesses were restored about 4:10 p.m. when the equipment was replaced. He did not know at which Qwest location the equipment failure took place. Some information- technology officials whose businesses suffered the outage were told by Qwest technical support representatives that the problem apparently involved the failure of an IP switch, which acts as a gateway directing data traffic to different customers. Source: http://www.sltrib.com/sltrib/home/50349837-76/outage-businesses-qwest-affected.html.csp

61. September 24, CacheValleyDaily.com – (Idaho) Backhoe causes broadcast power outage. A backhoe cutting through a power line on Mount Pisgah in Idaho was apparently the cause of an outage that was affecting some radio and television reception September 24. The splice has affected the broadcasts of HD-TV translators and some FM radio signals, including KVNU’s FM broadcast at 102.1. The outage may also have affected some cell phone carriers. Estimated repair time was 6 to 8 hours, which could mean service might not be restored until late September 24 or early September 25. Source: http://www.cachevalleydaily.com/news/local/Backhoe-causes-broadcast-power-outage-103755879.html

For more stories, see items 15 and 20 above in the Banking and Finance Sector

Blog Archive

Links

About Me